Many of the ERM resources you encounter on my blog and elsewhere focus on elements of a formal program like developing a framework, establishing risk appetite, and more. We imply, at least indirectly, that your organization must have this formal structure in place before practicing ERM.
However, this isn’t always the case…
Double-take – why would a consultant say that an organization doesn’t need all of these formal elements in place before practicing ERM?
Although, yes, I need to make a living with my consulting firm, my role isn’t to push one certain way of doing things. Despite what you may hear elsewhere, there isn’t a one-size-fits-all approach when it comes to ERM.
There are situations where an organization can practice and benefit from ERM without formalizing the identification, assessment, and analysis of risks…in fact, in certain circumstances, establishing these formalities could end up being a negative.
Successfully practicing ERM without a formal structure boils down to two things – culture and how executives already think about risk…
Are executives already informally discussing and thinking about how risks influence decisions and planning?
Is the organizational culture conducive to open communication?
I think the best way to illustrate how this works is with a real-world example with one of my clients.
When I first came to work with this organization, I learned that executives are already factoring strategic risks (without prompting) into their thinking and that top risks are addressed within the planning process. The conversations among executives and reporting to their Board of Directors occur naturally.
In discussing any existing practices with the organization, we both realized that formalizing their process would only add more work without adding any more value…who would want to do that, right?
However, one thing I did notice was that executives were focusing almost exclusively on what we would deem as “positive” risks or opportunities…the negative or “disruptive” risks were not part of their focus.
Therefore, instead of asking about top risks, I modified my wording slightly to ask about the biggest disruptive risks that would keep them from fulfilling core functions or would otherwise drain resources.
From there, we discussed ways to plan and get in front of disruptive risks with the goal of ensuring the organization was ready to respond to events that were within their control.
I went into this detail about opportunities vs. disruptive risks because the one issue I noticed with this organization was how attention paid to positive vs. negative risks, or opportunities vs. threats, was so out-of-balance.
In order for the organization to realize the benefits of practicing ERM, they needed to balance things out a little bit, hence my slight spin by asking about “disruptive” risks instead of just risks.
Questions to consider when assessing existing practices to see if your organization is a good fit for “informal” ERM
The COSO framework provides some guidance around things organizations should consider when embarking on the ERM journey. While they don’t specifically mention it, many of these points are useful for determining if your organization is a good fit for practicing ERM in an informal way.
At a high level, COSO looks at organizational processes, not the formal elements of an ERM program. Some sample questions include:
- What is the board’s oversight and does it support management in achieving strategic and business objectives?
- Does the organization define the type of culture it desires? What is the mindset of the organization related to risk and risk-related topics?
- How does the organization formulate business objectives? Does it consider risk while establishing business objectives? How well do these objectives align and support strategy?
- Does the organization identify risks that can impact the performance of strategy and business objectives?
- How does the organization prioritize risks and how does it identify and select responses?
Notice that these questions do not mention framework, risk committee, or other elements of a formal ERM program.
If the organization’s culture, actions, and oversight is conducive to practicing ERM informally, developing a concrete framework would actually negatively influence those natural risk-informed conversations, reporting, and decision-making, making them stilted and sometimes awkward.
And one last thing, when I say “informal” ERM, I don’t mean to infer that there are no standards whatsoever…if you are conducting risk assessments, I highly recommend using some kind of criteria for likelihood and impact. Otherwise, you have no way of ensuring that everyone is on the same page or talking the same “low” or “medium” level of risk.
Has your organization been practicing ERM without a formal program? Have you been able to achieve results and realize value in the absence of a formal ERM structure?
To share your perspective, please leave a comment below or join the conversation on LinkedIn.
If your organization is looking for a way to realize the benefits of practicing ERM but feel like a formal program would add more work without adding that value, please feel free to contact me via phone or email to discuss potential options today!